Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64650

Upgrade Commons FileUpload from 1.3.1-jenkins-2 to 1.4

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None
    • 2.278

      Background

      See jenkinsci/jenkins#5174. Subsumes jenkinsci/jenkins#5171. See also the corresponding mailing list thread.

      Problem

      Jenkins core uses a fork of Commons FileUpload 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:

      1. DiskFileItem was made no longer Serializable in commit 28d997704f as part of SECURITY-159 on September 27, 2014. Upstream made the same change over 4 years later in 1.4 (which was released on December 23, 2018).
      2. The fix for CVE-2016-3092 (originally released upstream in 1.3.2 on May 26, 2016) was backported to the Jenkins fork in commit ea981a029c as part of SECURITY-490 on September 28-29, 2017.

      Solution

      As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.

      Solution

      Upgrade to the latest upstream release, Commons FileUpload 1.4.

            basil Basil Crow
            basil Basil Crow
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: